Connecting JIRA to Active Directory over LDAPS fails with "Connection reset"
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When setting up an Active Directory connection in JIRA over LDAPS (Secure LDAP), the synchronization will fail with the below error message.
2015-06-20 17:36:28,373 atlassian-scheduler-quartz1.clustered_Worker-3 ERROR [atlassian.scheduler.core.JobLauncher] Scheduled job with ID 'com.atlassian.jira.crowd.embedded.JiraDirectoryPollerManager.10401' failed
org.springframework.ldap.CommunicationException: 192.168.1.100:636; nested exception is javax.naming.CommunicationException: 192.168.1.100:636 [Root exception is java.net.SocketException: Connection reset]
Diagnosis
Environment
- Active Directory 2012 (and R2) connected over LDAPS;
- Java 8;
Other environments might be affected as well, in case you face a problem such as this one, please inform environment specifications on the comments.
Diagnostic Steps
- Analyzing a
tcpdumpgenerated during the synchronization attempt will show multipleRSTpackets sent by the AD server;
Cause
By default, JIRA only uses pooled connections when connecting to a directory server over LDAP. Enabling SSL causes it to disable the pooling, resulting in poorer performance and failures due to connection resets.
Workaround
In order to circumvent the problem, we can enable the SSL connections pooling by adding the below argument to JIRA's startup options.
-Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'Resolution
The inclusion of this startup parameter by default has been suggested on JRA-41025 - Getting issue details... STATUS .